name: Auto-merge Dependabot security updates

on:
  pull_request_target:
    types: [opened, labeled, reopened, ready_for_review]

jobs:
  enable-automerge:
    name: Enable auto-merge for Dependabot security PRs
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'
    steps:
      - name: Check PR labels for security
        id: label-check
        uses: actions/github-script@v6
        with:
          script: |
            const pr = await github.rest.pulls.get({ owner: context.repo.owner, repo: context.repo.repo, pull_number: context.payload.pull_request.number });
            const labels = pr.data.labels.map(l => l.name.toLowerCase());
            const isSecurity = labels.includes('security') || labels.includes('dependabot-security') || pr.data.body && /security/i.test(pr.data.body);
            return { isSecurity };

      - name: Enable GitHub auto-merge on PR
        if: steps.label-check.outputs.isSecurity == 'true'
        uses: peter-evans/enable-pull-request-automerge@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          pull-request-number: ${{ github.event.pull_request.number }}
          merge-method: squash

      - name: Comment when auto-merge enabled
        if: steps.label-check.outputs.isSecurity == 'true'
        uses: actions/github-script@v6
        with:
          script: |
            await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, body: 'Auto-merge enabled for this Dependabot security update. Merge will occur automatically once required checks pass.' });